networking-calico
networking-calico is the Neutron ‘stadium’ sub-project that provides ‘Calico’
connectivity and security in an OpenStack/Neutron cloud.
Calico (http://www.projectcalico.org/) uses IP routing to provide
connectivity - in the form of a flat IP network - between the workloads in a
data center that provide or use IP-based services - whether VMs, containers or
bare metal appliances; and iptables, to impose any desired fine-grained
security policy between those workloads. Calico thus differs from most other
Neutron backends, which use bridging and tunneling to simulate L2-level
connectivity between the VMs attached to a Neutron network.
Using Calico implies and requires some restrictions on the full generality of
what can theoretically be expressed by the Neutron API and data model.
Specifically:
- Calico only supports IP addresses in a single, flat IP address space.
Therefore it does not support overlapping IP ranges, or “bring your own
addressing.” In Neutron API terms, all Calico network subnets must belong to
the same address scope.
- Calico does not provide layer 2 adjacency even on the same Neutron subnet, so
raw layer 2 protocols and broadcast do not work with Calico. In Neutron API
terms, all Calico networks are l2_adjacency False.
- Calico provides connectivity between different networks by default, and
relies on security group configuration and policy to implement whatever
network isolation and finer-grained security restrictions are desired. In
Neutron API terms, this means that Calico networks must either be external
provider networks, or be tenant networks that are connected through a Neutron
router to an external network.
For more detail please see Detailed Semantics.